On June 1, 2004 01:12 pm, Daniel Chemko wrote:
> #!/bin/bash
>
> IPT=/sbin/iptables
> HST_L_INET="100.100.100.100"
> HST_L_INTERNAL="192.168.0.1"
> IP_DST_LIST="1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4"
> PORT_LIS_LIST="15000 15001 15002 15003"
> PORT_DST_LIST="2000 2001 2002 2003"
>
> # This is just a demo. I'm sure bash arrays are cleaner...
> _count=1
> while [ ${_count} -lt 100 ];
> do
> _dip="`echo ${IP_DST_LIST} | awk "{print \$${_count}}"`"
> _lpt="`echo ${PORT_LIS_LIST} | awk "{print \$${_count}}"`"
> _dpt="`echo ${PORT_DST_LIST} | awk "{print \$${_count}}"`"
> if [ ! -z "${_dip}" -a ! -z "${_lpt}" -a -z "${_dpt}" ]; then
> $IPT -t nat -A PREROUTING -d ${HST_L_INTERNAL} -p tcp --dport
> ${_lpt} -j DNAT --to ${_dip}:${_dpt}
> $IPT -t nat -A POSTROUTING -d ${_dip} -p tcp --dport ${_dpt} -j
> SNAT --to-source ${HST_L_INET}
> else
> break
> fi
> _count="$((${_count+1))"
> done
>
Daniel -- Umm.
There's a contest I've heard of, -- something about obscurity??? *big grin*
Alistair
> Peter Marshall wrote:
> > So ... for every nat I have going from my internal network on a
> > specific port, destined to an external IP on a different port I need
> > to have something like this ?
> >
> > $IPT -t nat -A PREROUTING -d <firewall_ip> --dport 15000 -p tcp -i
> > eth0 \ -j DNAT --to-destination <some_internet_ip> --dport 2000
> >
> > $IPT -t nat -A POSTROUTING -d <some_internet_ip> --dport 2000 -p
> > tcp -o eth0 \
> > -j SNAT --to-source <firewall_ip>
> >
> > Is there a better way ??? I have about 20 routes to add .....
> >
> > Thank you for your help.
> >
> > Peter
> >
> >
> > ----- Original Message -----
> > From: "Alistair Tonner" <Alistair@xxxxxxxxxx>
> > To: <netfilter@xxxxxxxxxxxxxxxxxxx>
> > Sent: Tuesday, June 01, 2004 12:16 PM
> > Subject: Re: to snat or to dnat .. that is the question
> >
> > On June 1, 2004 10:51 am, Peter Marshall wrote:
> >> yes, my firewall is the default route on all internal boxes
> >>
> >> ----- Original Message -----
> >> From: "Piszcz, Justin Michael" <justin.piszcz@xxxxxxxxxxxx>
> >> To: "Peter Marshall" <peter.marshall@xxxxxxxxx>; "netfilter"
> >> <netfilter@xxxxxxxxxxxxxxxxxxx>
> >> Sent: Tuesday, June 01, 2004 11:42 AM
> >> Subject: RE: to snat or to dnat .. that is the question
> >>
> >>
> >> If the box 192.168.0.20 does not have the firewall's IP as its
> >> default route, then it will not work correctly (DNAT), I am not sure
> >> about SNAT.
> >>
> >>
> >> -----Original Message-----
> >> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
> >> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter
> >> Marshall Sent: Tuesday, June 01, 2004 10:30 AM
> >> To: netfilter
> >> Subject: to snat or to dnat .. that is the question
> >>
> >> Hi again.
> >>
> >> I am at a bit of a quandary, and am not sure what to do.
> >>
> >> Let the external interface on my firewall be 100.100.100.100
> >> I have an internal box; 192.168.0.20 that needs to connect to an
> >> external box 200.200.200.200 on port 2000.
> >>
> >> I want the internal box to connect to hit my firewall on a different
> >> port .. say 15000
> >>
> >> so basically
> >>
> >> start: .... -s 192.168.0.20 -d 200.200.200.200 --dport 15000
> >> after firewall -s 100.100.100.100 -d 200.200.200.200 --dport 2000
> >>
> >> How can I do this ?
> >>
> >> I started out with:
> >>
> >> $IPT -t nat -A POSTROUTING -d 200.200.200.200 --dport 15000 -p tcp
> >> -i eth0 \ -j SNAT --to-source 100.100.100.100
> >>
> >> But this does not change the destination port (obviously). I thought
> >> about doing the following
> >>
> >> $IPT -t nat -A PREROUTING -d 100.100.100.100 --dport 15000 -p tcp -i
> >> eth0 \ -j DNAT --to-destination 200.200.200.200 --dport 2000
> >>
> >> However, I don't think that this will change my source address.
> >> Also, will this even forwarded the packets ? They would be coming
> >> on the input chain would they not ?
> >
> > Since you've done this in PREROUTING no, they wont hit the INPUT
> > chain. This is where to start.
> >
> >
> >
> > You need then to have a FORWARD rule to allow the packets, and
> > ESTABLISHED,RELATED, and then in POSTROUTING add a rule to SNAT those
> > packets
> > destined to 200.200.200.200:2000 ( you could, if need be, add the
> > source to the rule as well)
> >
> >> Thank you for the help.
> >> Peter Marshall
> >>
> >>
> >> Peter Marshall, BCS
> >> Network Administrator, CARIS
> >> 115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
> >
> > Alistair Tonner
> > -- from slightly west of there, on the last lake
> > T.O.
